Tuesday, July 08, 2008

SCADA Watch: A Legacy of Insecurity & the Control System Lifecycle

The classic definition of the cornerstones of information security are:

Confidentiality, meaning that the data that you send or receive can not be read by others.

Integrity, the data is valid, has not been tampered with and originates from the authenticate source.

Availability, the data is available when it is needed.

When we apply these criteria to control system environments we see that only one of these elements, availability, is present. Control systems were designed with availability as the overriding criteria to such an extent, because of the nature of the environments in which they existed in the past, they seemingly ignore the other two criteria.

The majority of control systems do a very poor job with data confidentiality and integrity. This is especially true when these criteria are applied to the huge legacy system install base.